View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016518 | CentOS-8 | firewalld | public | 2019-10-02 12:56 | 2020-04-16 05:41 |
Reporter | merhardt | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Product Version | 8.0.1905 | ||||
Summary | 0016518: Bug in firewalld/nftables | ||||
Description | There seems to be a bug in nftables when using rich rules in firewalld that refer to ipsets with networks in CIDR notation. This seems to occur only when the "hash:net" ipset contains networks (/24). When creating a "hash:net" ipset with hosts in CIDR notation (/32) everything works as expected. The rich rule does not work and /var/log/firewalld shows: 2019-10-01 15:40:44 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. 2019-10-01 15:40:44 ERROR: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @example tcp dport 22 ct state new,untracked accept' failed: 2019-10-01 15:40:45 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. 2019-10-01 15:40:45 ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "ens192" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory insert rule inet firewalld raw_PREROUTING_ZONES iifname "ens192" goto raw_PRE_public | ||||
Steps To Reproduce | -Firewalld running with default config firewall-cmd --permanent --new-ipset=example --type=hash:net firewall-cmd --permanent --ipset=example --add-entry=10.10.123.0/24 firewall-cmd --permanent --ipset=example --add-entry=10.10.123.0/24 firewall-cmd --permanent --zone=public --add-rich-rule 'rule family=ipv4 source ipset=example port port=22 protocol=tcp accept' firewall-cmd --permanent --zone=public --remove-service=ssh init 6 -Try to access the host via SSH from the Networks within the ipset | ||||
Additional Information | CentOS Linux release 8.0.1905 (Core) (Minimal installation using Kickstart) firewalld-0.6.3-7.el8.noarch nftables-0.9.0-8.el8.x86_64 | ||||
Tags | firewalld, nftables | ||||
Temporary Work around till CentOS 8.2 Get a RedHat Developer account. Install RHEL 8.2 Beta download srpms yumdownloader --source nftables yumdownloader --source libnftnl yumdownloader --source libmnl yumdownloader --source firewalld and build RPMS on RHEL/CentOS 8.1 Machine. Install the resulting RPMS on CentOS 8.1. The only issue is you do not get updates in beta � |
|
I went through ordeal of rebuilding RPMs from the RHEL 8.2b and that didn't help. | |
I build the src rpms in a CentOS 8.1 VM. And installed all the resulting rpms except the debug rpms on the target machines. I am using the fix in 3 different Machines (all VMs) now. I also had to reboot after the above install. Anyway if you wait some more, it will be fixed in CentOS 8.1 also soon according to https://bugzilla.redhat.com/show_bug.cgi?id=1774742#c30 |
|
@lee.jnk - any speciffic notes for rebuilding the RPMs? The ones I got from RHEL8.2b seems to be the exact same version as currently coming with CENTOS 8.1: firewalld-0.7.0-5.el8.src.rpm libmnl-1.0.4-6.el8.src.rpm libnftnl-1.1.1-4.el8.src.rpm nftables-0.9.0-14.el8.src.rpm I rebuilt those with rpmbuild --rebuild xxx.src.rpm and installed produced RPMs via rpm -Uvh --force xxx.rpm And, like I mentioned above, I still have nft segfaults when hash:net ipsets defined in firewalld. |
|
ok, pls ignore my last comment - somehow I managed to install and pull source RPMs from RHEL8.1 vs RHEL8.2b | |
The fix is available on CentOS repos. $ dnf upgrade |
|
I can confirm that the issue is fixed after applying the latest updates from the CentOS repos. | |
Date Modified | Username | Field | Change |
---|---|---|---|
2019-10-02 12:56 | merhardt | New Issue | |
2019-10-02 12:56 | merhardt | Tag Attached: firewalld | |
2020-01-30 01:05 | lee.jnk | Note Added: 0036157 | |
2020-01-30 04:25 | lee.jnk | Tag Attached: nftables | |
2020-03-03 17:50 | vladm | Note Added: 0036442 | |
2020-03-04 08:59 | lee.jnk | Note Added: 0036448 | |
2020-03-04 14:47 | vladm | Note Added: 0036455 | |
2020-03-04 14:55 | vladm | Note Added: 0036456 | |
2020-04-16 01:23 | lee.jnk | Note Added: 0036699 | |
2020-04-16 05:41 | merhardt | Note Added: 0036700 |